State could fine app makers over privacy

PRIVACY

Updated 7:53 pm, Friday, November 30, 2012

Attorney General Kamala Harris sent warning letters to 100 app makers that had not posted a written policy.

Attorney General Kamala Harris sent warning letters to 100 app makers that had not posted a written policy.

Photo: Richard Vogel, Associated Press

State could fine app makers over privacy

1 / 1

Back to Gallery

A handful of mobile app makers that defied an order from state Attorney General Kamala Harris to post written privacy policies can expect enforcement actions to be filed against them as early as next week.

Several companies might face sanctions after Harris sent warning letters in late October to 100 app makers that had not posted a written policy. The vast majority agreed to comply, said Travis LeBlanc, who oversees the attorney general's new Privacy Enforcement and Protection Unit.

The companies that rejected her order maintain they aren't required to have a policy because the personal data they collect is not subject to the California Online Privacy Protection Act, LeBlanc said. He declined to name the companies or say how many were violating the law.

Latest news videos

The prevalence of mobile app downloads has exploded in recent years, while enforcement of privacy protections has struggled to keep up. Privacy advocates say having a policy in place is the minimum requirement for app makers and a necessary first step in educating consumers who increasingly rely on mobile devices to share and store sensitive information.

App makers have 30 days after receiving a warning letter to post a privacy statement or face a $2,500 fine every time an app is downloaded without a privacy policy - which for popular apps could result in a huge penalty.

"We've reached out to industry associations and let everyone know that they have an obligation to do this," LeBlanc said.

The enforcement actions follow a February agreement between the attorney general's office and mobile app platform companies such as Apple and Google that required app developers to make privacy policies available for review before an app is downloaded, rather than after.

Critics of mobile privacy protections say simply having a policy in place - whether on the app platform or directly through the maker of the app - is not sufficient to address the growing volume of personal information being collected by mobile applications.

Free apps riskiest

Those concerns are heightened with free applications, which appear to pose the greatest risk to mobile device users. An analysis of more than 1.7 million apps by the digital security firm Juniper Networks found that free apps were three times more likely to access an individual's address book than paid apps.

"We assume that app developers are interested in delivering the best experience," said Parker Higgins, an activist with the Electronic Frontier Foundation who has followed mobile app development and security closely. "But if they are malicious, it's a little bit more difficult."

Higgins said requiring developers to post a privacy policy is "a good start," but using it as the only defense against invasion of privacy isn't enough to deter app makers from collecting sensitive information.

"As it stands now, you don't need to include very much, and companies can change their policies at any time," Higgins said. "It's not much of a guarantee."

Some Silicon Valley app developers have resisted scrutiny over how personal information is collected and sold to advertisers, arguing that regulation will slow the pace of development. A September study by the technology research company Gartner Inc. predicts that the number of mobile applications downloaded will total more than 45 billion this year, nearly double last year's number.

Even if an app maker clearly lays out its privacy policy, Higgins said the most common privacy breaches come from agreements between apps and advertising networks.

Concerns over mobile apps' access to personal data landed in court this year when a Texas man filed a lawsuit alleging the social networking app Path Inc. violated his privacy by storing his address book information on its servers without his permission.

The suit, filed by Oscar Hernandez in San Francisco federal court in March, claims that Path violated five state laws when it stored its users' information.

S.F. case closely watched

The San Francisco company had issued an apology in February after a developer published a blog post about its practices, and Path said it deleted the database of contacts from its servers. But that wasn't enough to deter Hernandez.

The suit is being closely watched by the industry, Higgins said, because it places a dollar amount on how much it will cost the alleged victim to restore his personal data and remove the company's "tracking mechanisms:" $12,250.

"Once you've downloaded the app, to really wipe the slate clean is tremendously expensive," said Brian Strange, Hernandez's attorney. "It's not as simple as just pushing a button."

The case highlights a core issue that privacy policies are meant to address: minimizing surprise on behalf of the user.

"It isn't that they didn't have a policy; it's that users were surprised that they were accessing their private information," said Derek Halliday, senior product manager for San Francisco mobile security company Lookout.

Halliday said the policies are designed to protect app makers, not users. Rather than the typical pages-long policy appended to most apps today, Halliday said app makers should make the policies shorter and clearer, factors that become even more important on the small screens of mobile devices.

Halliday has advised dozens of app developers on how to minimize data collection. In many cases, he said, they were unaware what information - such as locations, e-mail addresses and phone numbers - advertising networks were requesting.

Once a privacy policy is in place, it can open the door for consumers to file claims against app makers with the Federal Trade Commission.

Lauren Gelman, former executive director of Stanford Law School's Center for Internet and Society, said she hopes Harris will take the next step in enforcing mobile privacy protections and fine app makers that are not in compliance.

"The attorney general has enforcement power, not just to issue rules or send letters, but through prosecution," Gelman said. "So this is a welcome sign for people who take privacy seriously."

Latest from the SFGATE homepage:

Click below for the top news from around the Bay Area and beyond. Sign up for our newsletters to be the first to learn about breaking news and more. Go to 'Sign In' and 'Manage Profile' at the top of the page.